Companies collect data on us --- so what?

2009-07-24

It is very common among security people to take privacy issues seriously. When we hear that a particular service collects personal data on us, we get extremely anxious. We will not use services that collect personal data that are not necessary to render the service. Sometimes we will forgo using a useful service, just because it requires that we feed in personal data, or because we do not like the wording of the privacy policy, of its lack of...

To us, security people, having a company collect personal information on our shopping habits, surfing habits, reading habits, or eating habits, is just wrong. Technologists like Cory Doctorow call to treat personal data like weapons-grade plutonium, because data that is collected never vanishes. Others, like Bruce Schneier, write essays on why the average (that is, non-criminal) citizen should not agree to being watched, although he did nothing wrong. All is true, and having governments collect too much data on individuals is risky. Such data, if available, is likely to be abused at some point in time, a point which is probably closer than it appears.

It is easy to explain why one would not like the government to have too much data on himself. I would like to discuss another type of data: the commercial data that privately held companies such as Amazon, Google (on Google apps users), and Facebook, collect. Why should I care about having my personal data on-line?

As a security person, I just don't like having my data available where it shouldn't, even if this data is not something that can get me behind bars, or that can make me lose money. However, when discussing this with a non-security-oriented person, I found myself having to seek explanation for my behavior. Why do I care that Google reads my personal e-mails? Why do I care that adware traces the websites I visit? Fact is, some people, when being told that they leave traces on-line and that these traces allow various companies to generate a profile for marketing purposes, simply reply that they don't care: “So they know I like motorcycles; so what?” and “I get tons of spam anyway, it may just as well be better tailored to my interests.” Governments, politics, and surveillance aside — why do we, sane security people, care about marketing groups collecting private data to tailor their campaigns better?

I care. Here is why:

First, I treat it as an axiom that, for the most part (sorry for the generalization), advertisements are bad for the public. They mostly involve benefiting a few at the discomfort of many. The cost-effectivity of advertisement campaigns is often thanks to externality costs — costs that exist, but which the advertiser does not bear, and thus does not care about. Telemarketing phone calls are annoying, spam mail is annoying and costs bandwidth and maintenance of filtering machines, and mailed paper ads harm the environment. There are exceptions: there are a few cases where you knowingly agree to receive advertisement material in exchange for something else (e.g., TV content). You agree to pay the price because you like what you get in return. However, when dealing with unsolicited proposals, such as spam, this is obviously not the case. You get nothing in return for receiving spam mail and paper brochures. I therefore take it as an axiom that being exposed to proposals you did not ask for is “bad”, from your perspective. It is something you do not want more of.

By allowing advertisers to collect personal data on you, and by allowing advertisers to build a profile on you, you allow for better targeted campaigns. Better targeted campaigns create more sales, and as such they are more valuable to the advertiser. If a product vendor is willing to pay $0.0001 for every non-targeted promotional message that gets sent, he will be willing to pay $0.1, or more, for each well-targeted message that gets sent (expecting higher return on investment with these messages). Compare the amount paid for a single spam message to the amount paid for a keyword-targeted click in Google Adwords, for example. Companies pay $5 per click on an ad when the ad is known to be displayed only to potentially interested surfers.

By allowing spam to be targeted effectively, and thus increasing its value, you encourage the flow of more money into a system that eventually harms you (see above). By significantly increasing spammers revenues, you increase their resources, and these are exactly the resources that you will need to counteract later. The money generated by the well-targeted campaigns will eventually be routed into research and development of technologies for bypassing spam filters, for development of anti-virus-evading adware, and for finding yet more creative means for forcing you into being exposed to content you never asked for.

We are lucky that spam today is largely ineffective. As such, its value to advertisers is limited, and so are its revenues — high enough to allow it to exist and be annoying to some, but not high enough to be able to defeat corporate grade filters. The last thing we want is to boost spammers' revenues by empowering their products. It will cost us a lot to counter the monsters that this money will buy.